Incident Response is an IT Essential: Exclusive Interview with Former NSA Deputy Director

The true security of any business—the ability to maintain competitive advantage, manage the organization’s reputation and retain customers—depends on mitigating risk. Yet most enterprises are unprepared for cyber security threats, and underestimate the amount of damage they can do.

On average, it takes companies a full month—longer if an insider is involved—to resolve security incidents once they are identified. In fact, a recent report from the Ponemon Institute found that 75 percent of U.S. organizations are not prepared to respond to cyber attacks.

We had the opportunity to interview John Chris Inglis, former deputy director at the NSA and chairman of the Securonix Advisory Board. In a two-part interview, Inglis shares his insights into how enterprises can find and thwart threats.

In part two of our interview, we explore Inglis’s thoughts on incident response, including what the NSA learned from the Edward Snowden case. We also provide the Forsythe perspective on this critical part of IT security.

Forsythe: During your time at the NSA, you dealt with one of the most notorious insider threats in history. What was your biggest takeaway from managing the Edward Snowden case?

John Chris Inglis: My biggest takeaway was that we didn’t balance prevention with other urgent problems. If you had asked at the time, the NSA would have said that we had a strategy for insider threat prevention, detection, mitigation and response. However, it became clear that we didn’t give equal weight to each aspect of our strategy. It’s important to note that even with our plans in place, we still couldn’t move at the same speed that our adversary could. For these low-probability but high-consequence events, prevention, detection, mitigation, and response all require equal time and attention.

Forsythe Perspective: As Inglis notes, in any security program it is critical to have a balanced approach, yet far too many organizations favor prevention over their detection and response capabilities. Organizations historically spend the majority of their budget on defence—this needs to change. While we would all prefer to prevent issues from occurring in the first place, the current threat scape has proven that no one is immune to a breach. Maintaining robust detection capabilities and developing plans and dedicating resources to address security escalations is equally critical.

Forsythe: What could the NSA have done differently to prevent Snowden from succeeding?

Inglis: First, I would have moved to continuous monitoring. If somebody crosses into restricted territory or exhibits unusual digital behavior, you can quickly step in and do some forensics that determine the nature of the event and what you can do to mitigate it.

In the past 10 or 15 years, we have concentrated more power in the hands of both privileged and non-privileged users. This is due to the machines and networking that we provide to them. We need to understand what they’re doing with this authority and gain these insights in near-real time.

The second thing I would have done is made sure the NSA's version of the story was published before any other version of the story got out. In today’s media-driven world of course, that can be almost impossible to do. But, it can also be critical to getting the accurate account known.

At the time, we thought staying out of the limelight was to our benefit―not because there were things we weren't proud of, but rather because we thought we needed to stick to developing our data and getting our business done. We thought people would respect our focus on the job at hand and the outcomes derived from that focus.

But, in the summer of 2013, it wasn't evident to everybody that Snowden was broadcasting allegations, not revelations. And we realized our mistake too late. It was really difficult to catch up to his story once it spread. The public didn't have the NSA’s full version of the story to compare and contrast with different claims.

Preparation and excellent incident management is absolutely essential to any IT strategy.

Forsythe Perspective: Traditionally, most organizations focus on securing the perimeter and provide insiders with a much greater level of access and trust. However, as the Snowden incident proved, insider and outsider threats should be treated with an equal weight. And, remember not to focus solely on malicious insider threats; human error can be equally damaging.

According to the 2015 Verizon Data Breach Investigations Report, 55 percent of the incidents they studied involved some form of privilege abuse, while almost 60 percent of incidents involved improper data handling (e.g. sending data to the wrong recipient, publishing data in the wrong place, improper disposal of data). Having the ability to detect these types of issues, a strategy for incident containment and a plan for communicating to the public is critical.

And remember: there is always room for improvement. For organizations with mature detection and response capabilities already in place, keep an eye on how you can evolve your strategies to keep up with the changing threatscape. New tools continue to arrive in the marketplace that allow better detection of anomalous user behavior so that your organization can have an even better view into insider threats.

Forsythe: With the rise of external threats from nation states and other organized crime, how should enterprises balance their spending and resources to focus on the inside threat vs. outside threat? Do you view inside and outside threats as being mutually exclusive or intertwined?

Inglis: I wouldn't think of these as a series of discrete problems.

The insider threat problem is challenging, but we've made it harder than it needs to be. Organizations typically devise a tactic for every threat and vulnerability; they design security architectures from the bottom up. These types of tactics, devices and data sets tend to be one-offs that attack a single facet of the problem, rather than the problem at large.

The key is to work with a top-down strategy that is coupled with the opportunities, devices, and bottom-up tactics that most businesses have already established. Focus on developing strategies that solve more than one problem. When you think about outsider threats, insider threats, and compliance issues, the problem comes down to the exercise of privilege against your data.

If you understand who or what is exercising privilege against your data, you can define what data matters to you and what roles are allowed to exercise privilege. Then, you can focus on behaviors as opposed to individual transactions.

If you focus on behaviors, you simplify a complicated problem to something that is more manageable. This can give you a leg up on monitoring outsider threats, insider threats, and compliance simultaneously. I'm not saying that it's a straightforward or easy task, but splitting them as if they're three separate items makes the job a lot harder.

It’s also important to set expectations that an IT organization is not capable of building and operating a completely secure system. Instead, time and resources should be spent on making defensible systems—and then actually defending them.

Adversaries are at our doors 24/7. We need to be equally vigilant with respect to securing and defending our systems. If you do that, you might outwit your enemies.

Forsythe Perspective: As Inglis points out, taking a bottom-up approach—perhaps by looking at technology alone—can lead to security controls that are easily bypassed by inside or outside threats. It is important to have a more comprehensive view to address the myriad of ways that someone could bypass implementation of a single security control. To combat both inside and outside threats with your security strategy, it is more practical to first take a top-down approach, using risk as a lens to evaluate the right balance between usability and security for your organization. Then, using a bottom-up view, take a look at the security controls currently in place to ensure you have the correct architecture to execute your security strategy.

Forsythe: What should IT leaders keep in mind when considering insider threat and incident management strategies?

Inglis: Gone are the days when we can act at human speed to counter threats and adversaries that are working at network speed. There is in fact a human being behind every cyber threat, however they will always have a leg up on you. They’ve already had the benefit of being able to think their way through each step. By the time you detect them, they already have a plan in motion and can move at net speed.

We need to anticipate their behavior and act at the same speed, or close behind. This requires a lot of planning and some alternative courses of action. If you don’t do this, your adversaries will win.

The NSA has gone to great lengths to understand what insider threat has looked like over the past 70 years, and what it may look like in the future. We discovered how our methods worked well for fighting insider threat in the past, but the way the Snowden case unfolded told us that the next year and beyond will be nothing like the last 70 years. Because we weren't able to operate at the same speed at that moment in time, we fell behind in the timeline of actions. We knew we needed a new perspective if we were going to prevent that from happening again.

Remember: incident response and management is a people thing, not an IT thing. You're not beating the technology or winning based on technology. You're winning based on your strategy and your people's ability to execute that strategy.

Forsythe Perspective: To protect your company from ever experiencing a breach, security teams would have to be "right" 100 percent of the time about an infinite number of threat scenarios—a daunting fact when you consider that a hacker and a malicious or careless employee only needs to find the right path through your defenses once. IT security can no longer focus solely on defence; you should have a holistic view. There will always be effective tools and intelligent strategies to help mitigate risks, but don’t forget about organizing your team for success in detection and response as well. If you begin with a team-based initiative to identify the risks your company faces, then work together to remain invested in your approach, you are much more likely to develop and execute a successful and balanced security strategy.